Is Your Supply Chain Protected Against Cyberattack?

When you think about supply chain risks, what's often mentioned is not something related to the physical supply chain. Rather, it's the growing number of IT-related cyberthreats that could do serious damage.

A recent report from the Georgia Institute of Technology on emerging cyberthreats, for instance, includes information around exactly this theme. Give the report a quick scan, and phrases and section headlines like these could leave many supply chain executives and CIOs wondering what's lurking in the background undetected:

Insecurity of the Supply Chain: Hard to Detect, Expensive to Fix, and a Policy Nightmare

Supply chain insecurity is both hard to detect and expensive to defend against

On an international policy level, supply chain issues will continue to be an intractable problem

Cloud Security Enters Its Teenage Years: Data in the Cloud Will Have Better Overall Security, but Failures Will Be Severe

So, it's not a stretch to believe that we'll be seeing more companies and governments trying to curb these risks in the next couple of years. In fact, we're already seeing some of this conversation happening in Europe.

Earlier this month, the EU proposed new cybersecurity rules that provide the region's "comprehensive vision on how best to prevent and respond to cyber disruptions and attacks." With the overarching aims of "achieving cyber resilience, drastically reducing cybercrime and establishing a coherent international cyberspace policy for the European Union," the directive is looking for ways to address problems like these listed in its press release:

According to the World Economic Forum, there is an estimated 10 percent likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.

The 2012 Eurobarometer poll on cybersecurity found that 38 percent of EU Internet users have changed their behavior because of these cybersecurity concerns: 18 percent are less likely to buy goods online and 15 percent are less likely to use online banking.

Eurostat figures show that, by January 2012, only 26 percent of enterprises in the EU had a formally defined ICT security policy.

According to media reports, each EU member state would set up "CERTs," or Computer Emergency Response Teams, to deal with hacking and malware crises and there will be more pressure placed on private companies across many vertical sectors -- banking, energy, Internet search engines, cloud service providers, transportation, stock exchanges, to name a few -- to report major security breaches and cyberdisruptions. The Wall Street Journal, citing EU officials, said as many as 40,000 companies could be impacted if the proposal becomes law. That means many companies either directly in or touching the electronics supply chain may be included in the reporting requirements.

The proposal has to go to the European parliament and be approved by the leaders of the EU's 27 national governments before being signed into law, a process that could take a couple of years. Even though companies don't have to comply with this right now, it seems pretty clear the handwriting is on the wall.

Cyberthreats will continue to be a significant risk on many levels. Governments will try to protect their constituents from cybercrimes with rules that will impact businesses. Supply chains -- and the IT systems supporting them -- could face serious disruptions in the wake of major security breaches. So, maybe now's a good time to ask -- what are you doing to curb such risks?

I reckon a lot of high tech companies spend more time trying to innovate and stay ahead compared to protectng what IP they already have. Now direct cyber attacks that result in theft of "cash" is a different matter handled normally by expensive insurance policies.

Ashish, Brian, t.alex - this is consistently a problem everywhere. Disater recovery plans are sitting in some file cabinet, and everyone scratches their head when their attacks, wonderingwhat happen. It seems, though, investing in this and seeing it all the way through to execution, with a team responsible for regular maintanence and updates, shouldn't be too hard to accomplish. It is 2013, not 1990 - we have tools and stuff to manage this, right?

I agree with Brian on this issue of redundancy. With all the info companies track, this data has to be somewhere, on some spreadsheet. But, I'm sure companies are not so willing to share some of this data. Why tell the hackers how much would be lost with an outage, why not keep people guessing?

Hospice, HM - being proactive and identifying threats are key. But I imagine that many teams of people could spend nearly all their time tracking all the different threats a company could face on a daily/weekly basis. Maybe that's not a bad thing either...

If you work with the fact that in more ways than One ;your company is a representative of the Average Company in America it becomes pretty obvious how few companies have Robust and Resilient Disaster Recovery plans.

Ashish, you quite correct. I remember many years ago, we as a company reacted to some major U.S. power outage by pulling together a company-wide contingency plan. It was probably the most detailed work in this area we'd ever done.

It was impressive.

The plan was completed and promptly forgotten. There was no annual review or ownership assigned to it.

While conversations about digital supply chains are pervasive, many executives and supply chain teams are not sure how to scale their initiatives beyond piecemeal tools. The decisions made now have the potential to impact the future of business.